SecureDoc v7.26 Release Notes

Please note that WinMagic is deprecating SecureDoc V4 PreBoot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 PreBoot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.

WinMagic has done extensive work to improve, streamline and augment the security surrounding the initial deployment of Key Files during the process of installing the SecureDoc Client software, bearing in mind that many customers have widely divergent requirements relating to how devices are used during and after initial installation. Some customers install SecureDoc while the primary device user is on or will be on the machine, while others may need to protect new devices before the end-users of those devices have been defined, as well as other scenarios.

Please refer to the When SecureDoc server is upgraded to version 7.1 SR4 from previous versions (6.5 or earlier) and the Device Provisioning Rules sections under the Creating Installation Packages for Windows chapter in the SES User Manual to understand how these new settings work, in order to inform your own use of these new features, particularly as they operate in a way that cannot be easily migrated from the previous methodology to the new methodology. Upon upgrading from an earlier version, you will need to adjust each of your existing Installation Packages to reflect the deployment methodology that will meet your security design.

During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.

Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly.

SecureDoc CloudVM does not support moving of parent folders between two different Organizational Units (OU’s) in the Active Directory.

If any parent folder is moved from one OU to a different OU, then duplicate OU names are created in the SecureDoc Enterprise Sever (SES).

Recommendation: Users should avoid the movement of parent folders between Organization units, if at all possible.

The deployed installation packages (which contains the profile options) created using the SESWeb cannot be modified.

Recommendation: At this stage, if a different profile behavior is required for a given device, the device should be decrypted, SecureDoc should be uninstalled, a new profile/package deployed to the device and the device re-encrypted.

Recommendation: Users are advised that, though self-help recovery is incongruous in the context of Cloud-hosted servers (since they auto-boot), at this point the standard behavior of the SecureDoc Key File applies, which natively normally requires responses to Self-Help recovery questions.

SecureDoc CloudVM extends limited support Azure Classic VMs.

When Azure Classic VMs are synced into SES Web, their instance state will be reported as “ReadyRole” instead of “Running”.

Note: “ReadyRole” actually means the same as a status of “Running” for other devices. This is because the Classic instances, unlike the RM instances, have a different system state label.

SecureDoc ClouVM does not support Generation 2 (UEFI) Virtual Machines: The SecureDoc pre-boot functionality does not work on the Generation 2 with UEFI virtual machines.

When a SESWeb package is created and deployed with the "Hide Encryption Progress from User" option set to NO, the encryption progress bar is not visible after the device restart.

Recommendation: Users are advised to expect (in this version) that they may in some circumstances not see the Encryption Progress panel on Azure RM Virtual machines with Standard A1 and A0 sizes, even if the installation package was configured to display it.

The remote command “Lock Device” does NOT work. The client devices fail to lock when SES administrators attempt to lock a selected client device by sending a remote “Lock Device” command from SESWeb, the device fails to lock.

Recommendation: In this version, if it is desired to lock the device, Administrators are recommended to seize control of the device’s desktop remotely, and then send it to screen lock.

User IDs are NOT Case-sensitive. When a SecureDoc CloudVM package is created and deployed from SES Console to the cloud devices with the “User ID is case sensitive” option enabled in the Boot Configuration settings, the SecureDoc application fails to differentiate between capital and lowercase letters of Users’ IDs.

Recommendation: Users should be aware that (in this version) regardless of the settings of the “User ID is case sensitive” option, user IDs will not be case-sensitive.

Azure Auto-Scaling cannot be correctly executed if a parent Virtual Machine is destroyed in the process on VMSS creation.

During the VMSS creation, a parent VM is automatically moved to Recycle Bin during the sync process. If an administrator accidentally deletes this parent VM, the auto-scaling instances fail to register.

Work-around: Create a Parent image and copy this image to a new storage account before creating the VMSS in the newly created storage account.

When a SecureDoc CloudVM package is created with the Native UEFI pre-boot environment boot loader option in the Boot Configuration Settings and deployed it to the client-based Virtual Machines that are running Windows 7, 8.1 or 10 Operating System, a blue screen is displayed and the users won’t be able to log into Windows.

Recommendation: Users are cautioned to avoid any attempt to encrypt Xen/Hyper-V Windows 7, 8.1 and 10 virtual Client devices until this limitation is removed in a future version.

New clones cannot be created from the crypto-erased parent machines.

If a Master virtual machine is crypto-erased, the new child instances using that master image will also be crypto-erased. It is recommended not to crypto-erase a parent virtual machine if you want to create new clones from its image.

Recommendation: Do not crypto-erase a parent virtual machine if you want to create new clones from its image.

SESWeb will NOT support partition encryption and excluding partitions.

The Encrypt partition only option has been removed from SESWeb. SecureDoc CloudVM installation packages cannot be created and deployed to the client devices with the “encrypt partition only” option.

CloudVM Linux now can run on the following flavors of Linux along with these Kernel versions.

RedHat 7.1

3.10

Ubuntu 14.04.3

3.19

CentOS 7

3.10

Please note that SecureDoc pre-boot requires a separate volume in which it is created during the installation process.

Otherwise, the installation process will fail if we are unable to create this special volume.

For conversion, please see the recommendation listed here:

We highly recommend encrypting a Linux VM using our “Thorough” and “Offline” Mode.

Please do not forcibly power off a VM during the encryption process regardless of the conversion mode. Whether it’s in the “fast” or “thorough” Mode.

If you are using the “fast” conversion Mode, while Linux VM is running. Do not perform any read and/or write operations. Such as copying a file, working on a program and so forth, during the conversion process.

SecureDoc CloudVM can only encrypt the root volume of the Linux VM and cannot encrypt the other volumes.

Such as data that is attached to Linus VM.

Please note that you cannot add and/or remove the key file to running VM for the offline usage.

For the Public Cloud: Market Place AMI’s for Ubuntu environment found in AWS and Azure are not compatible with the current version of SDLinux.

However, a custom environment can be created and uploaded to the mentioned public cloud environments. This is compatible with SDLinux.

Please note: Not all of the client’s info is sent back to SES database after deploying and encrypting.

Please note: SESWeb Compliance for Linux device does not update accordingly. This only affects SDLinux not Windows.

Work-around: the SES administrator can manually look at the console to know if the device is compliant or not.

Crypto-erase features from SES are not currently supported for SDLinux VM.

Please note: that SecureDoc does not at the moment support cloning of encrypted Linux based environments. This affects functionality related to cloning features such as Auto Scaling (not supported in this current release).